Paubox Weekly Fully Automated - A HIPAA compliant email security Podcast

More ways to sign in securely with multi-factor authentication

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 3:52
In this episode, Jen and Alex discuss Paubox's new MFA options, the ShinyHunters breach involving legacy Iora Health data, World Cup-related phishing scams, and a Senate bill addressing cybersecurity risks in Chinese-made medical devices. The hosts emphasize the importance of addressing legacy systems, conducting thorough asset inventories, and implementing foundational security controls to protect patient data.
SPEAKER_01

You're listening to Powbox Weekly, fully automated.

SPEAKER_00

I'm Jen. I stare at threat reports so you don't have to.

SPEAKER_01

And I'm Alex. I translate those reports into something your board might actually read. It's been a week. It's always been a week. Let's start with some good news for once. Powbox rolled out new MFA options.

SPEAKER_00

Finally, more ways to prove you are who you say you are. Pass keys, authenticator apps, text, email, recovery codes.

SPEAKER_01

The idea being, even if someone gets your password, they still can't get in.

SPEAKER_00

That second factor is the difference between close call and incident response.

SPEAKER_01

And there are guardrails now to keep you from locking yourself out. Which, let's be honest, happens more than anyone admits. Moving on, Shiny Hunters is back in the news. Of course they are. They're claiming nearly nine terabytes of data stolen from one medical. That's Amazon's primary care subsidiary.

SPEAKER_00

Here's the thing though, this wasn't current One Medical data. It was archived records from Iora Health, which they acquired back in 2021.

SPEAKER_01

So legacy systems. Again.

SPEAKER_00

Legacy systems. Always. The breach didn't touch broader One Medical or Amazon infrastructure. But those old records, still patient data, still protected. The lesson here? When you acquire a company, you acquire their technical debt too, including whatever's sitting in a forgotten storage bucket.

SPEAKER_01

Alright, shifting gears. The World Cup. Oh, the fishing bonanza. Researchers found over 600 typosquat domains mimicking FIFA's official site. Plus, 33 fake merchandise stores tied to 2,500 ads.

SPEAKER_00

People bought jerseys they never received. And in exchange, they handed over payment card data, personal info, everything.

SPEAKER_01

And that data's already circulating on the dark web.

SPEAKER_00

Because of course it is. Big events are hunting season for these guys. The emotional pull of fandom makes people click first. Think later.

SPEAKER_01

So if you're shopping for gear.

SPEAKER_00

Go directly to the official site. Type it yourself. Don't trust that ad.

SPEAKER_01

Now, some legislative news. There's a Senate bill targeting cybersecurity risks in Chinese-made medical devices.

SPEAKER_00

This one's actually interesting. It would have the FDA and CISA do a retroactive review of legacy devices already deployed in healthcare settings.

SPEAKER_01

So devices that are already in hospitals, clinics.

SPEAKER_00

Right. And if they're flagged as threats, FDA could recall them.

SPEAKER_01

These devices often collect, transmit, or store PHI.

SPEAKER_00

Exactly. They're not just sitting in a corner. They're connected. They're talking to networks. And if they're compromised, that's a direct line to patient data.

SPEAKER_01

Something for compliance teams to watch. Definitely put it on the radar. And finally, some fun. PalBox hosted a social mixer in San Francisco last week. At the Lark Bar. Customers, prospects, friends of Palbox. Apparently they made some new connections too. I heard the pics are up. They are. Worth a look if you want to see what happens when security folks get to relax for a minute.

SPEAKER_00

We do occasionally leave our desks.

SPEAKER_01

So, wrapping up, what's the thread this week?

SPEAKER_00

It's not bad luck, it's bad configurations, blind spots, legacy systems nobody's looking at.

SPEAKER_01

Archive data from acquisitions. Devices deployed years ago. Phishing domains that prey on distraction.

SPEAKER_00

And most of it? MFA is fixable. Asset inventory is fixable. User education is fixable.

SPEAKER_01

The stakes are real, but so are the solutions.

SPEAKER_00

Do the boring work. It pays off.

SPEAKER_01

That's it for this week. Stay safe out there.

SPEAKER_00

And patch your stuff.